Closed c4-bot-4 closed 5 months ago
init is called with BoringFactory, this is a no factor
141345 marked the issue as primary issue
141345 marked the issue as sufficient quality report
no factor
0xCalibur (sponsor) disputed
Invalid, relies on admin error, i.e. admin does not initialize it on deployment
thereksfour marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-abracadabra-money/blob/main/src/blast/BlastWrappers.sol#L59
Vulnerability details
Impact
The
BlastCauldronV4.init()
function initializes the contract after deployment, However there is no access control for the public function, making any user to be able to initialize the contract with arbitrary input to set the state variables forcollateral, oracle, oracleData, accrueInfo.INTEREST_PER_SECOND, LIQUIDATION_MULTIPLIER, COLLATERIZATION_RATE, BORROW_OPENING_FEE
Additionally, the function can be front-runned since there is no access control.
Proof of Concept
A direct or frontrunned call to https://github.com/code-423n4/2024-03-abracadabra-money/blob/main/src/blast/BlastWrappers.sol#L59-L72
BlastCauldronV4.init()
would set thecollateral, oracle, oracleData, accrueInfo.INTEREST_PER_SECOND, LIQUIDATION_MULTIPLIER, COLLATERIZATION_RATE, BORROW_OPENING_FEE
state variables inhttps://github.com/code-423n4/2024-03-abracadabra-money/blob/1f4693fdbf33e9ad28132643e2d6f7635834c6c6/src/cauldrons/CauldronV4.sol#L137-L152
Tools Used
Manual Review
Recommended Mitigation Steps
Assessed type
Access Control